Individuals have a right to access their own health records, and in limited circumstances, access to the records of other people. The Government has made a commitment that patients should gain access to their health records within 21 days following a request. Access to health records may also be granted in limited circumstances for relatives or in the case of deceased patients.

This briefing describes how patients may request access to their records, and the circumstances in which access to the records of others may be allowed, including new requirements introduced by the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018. It also describes statutory and public interest disclosures of patient information; information sharing rules for people who lack mental capacity; and access to information on hereditary conditions for relatives.

The Government has encouraged the NHS to make better use of technology, so that patients can manage their own healthcare needs, whilst ensuring that data remains safe at all times. It has also committed to making all patient and care records digital, real-time and interoperable by 2020.

This briefing also outlines safeguarding arrangements for confidential patient information. In 2013, a review was carried out by the National Data Guardian for health and care, Dame Fiona Caldicott, to ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve care.

In 2016, a subsequent review by Dame Fiona Caldicott looked at data security and patient opt-outs for the use of their data. Recommendations from this review led to a number of changes in NHS data security policy, and the launch in May 2018 of a new national data opt-out programme.